php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68226 FULLY UNABLE TO USE LOAD DATA LOCAL Startement IN Web Production Enviroments
Submitted: 2014-10-14 10:57 UTC Modified: 2020-06-04 08:54 UTC
Votes:22
Avg. Score:4.5 ± 0.8
Reproduced:20 of 20 (100.0%)
Same Version:8 (40.0%)
Same OS:8 (40.0%)
From: georgy dot garnov at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: PDO MySQL
PHP Version: 5.6.1 OS: ALL
Private report: No CVE-ID: None
View Developer Edit
 [2014-10-14 10:57 UTC] georgy dot garnov at gmail dot com 
Description:
------------
If you set open_basedir in your php.ini or use php as fcgi you will always got "The used command is not allowed with this MySQL version" error.
You can use new PDO($dsn,$login,$password, array(PDO::MYSQL_ATTR_LOCAL_INFILE => true)) but you will have no effect.
So you are fully unable to use LOAD DATA LOCAL INFILE.
That's because of \ext\pdo_mysql\mysql_driver.c
LINES 626 to 633
#if PHP_API_VERSION < 20100412
		if ((PG(open_basedir) && PG(open_basedir)[0] != '\0') || PG(safe_mode))
#else
		if (PG(open_basedir) && PG(open_basedir)[0] != '\0') 
#endif
		{
			local_infile = 0;
		}
as you can see, you will always fail in production enviroments
no check if loaded file inside base dir just fail.
That's bad!!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-14 15:20 UTC] johannes@php.net
-Assigned To: +Assigned To: mysql
 [2014-10-14 15:20 UTC] johannes@php.net 
With libmysql we can't check the path. As soon as the feature is enabled the server can request any file it likes (Client sends SQL to server, the server parses it and requests the file, the client doesn't know SQL) therefore on PHP versions using libmysql we can't check the path.

With mysqlnd this is different, there we can check the path. Andrey do you have any thoughts on this? Any issues if we make this check less strict?

Security-wise "interesting" might be if a malicious server requests php://input or such.
 [2015-02-03 20:14 UTC] phpbugs2012 at joern dot heissler dot de 
See also related https://bugs.php.net/bug.php?id=62889
 [2017-10-24 08:12 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: mysql +Assigned To:
 [2020-06-04 08:54 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2020-06-04 08:54 UTC] cmb@php.net 
Closing this ticket as duplicate of bug #68077.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC